We currently use User-ID with an on-premise Active Directory server. We are planning on moving to Azure AD (not to be confused with AD services in Azure). Are there any plan on getting User-ID to work with AzureAD (web Auth)? What other options can I use to continue to use User-ID if we do not have Active Directory on premise? Thanks.
There are several options:
-captive portal with ntlm,
-forwarding authentication logs to an on-prem UserID agent running as syslog collector,
-GlobalProtect (inside the network it will not set up vpn but will simply function as a userID client)
If we were to pull all of our domain controllers from on-premise, wouldnt that kill the first two options? GlobalProtect might be the only option but frown on as it is something that we will have to install. What APIs are you referring to?
@jharlow When @reaper talks about NTLM auth via CP he's referring to the firewall utilizing the NTLM protocol to to query a user's web browser for the credentials. When the browser provides credentials back those credentials are then checked against which ever directory you specify and then retained in cache also based on your specified duration.
If that "behind the screens" negotiation isn't successful users will get a browser pop-up asking the user for creds.
One thing to keep in mind you'll need to ensure the firewall's IP is in IE's local Intranet configuration so IE will pass creds to the FW via the automated NTLM process.
NTLM would simply ensure transparent authentication for the users if available/possible (pretty exclusive to windows) but in the backend 'normal' authentication methods can be used for which the AD does not to be on-prem
Syslogs can be sent out of the AD for succesfull authentication events and an on-prem User-ID agent can capture these and create user-IP mappings
XML API would require a lot of scripting, but it's doable : Send User Mappings to User-ID Using the XML API
I see the option under User-ID for NTLM (currently unchecked). Simply checking this is all that is needed? You mentioned it grabs the credentials from the browser, but if the user's machine is no longer on a local premise AD (simply connected via AzureAD through Windows 10), will there be credentials to grab? Let's assume the individual is prompted, however often will this take place (session cookie, restart of browser, PC restart, etc.) And lastly, since yes, NTLM is a Windows thing, how will Mac's and iOS devices handle this process? Will they simply get prompted to login and if so, the same last question applies (length of time).
I sent a request to support about AzureAD. This really needs to be added as there are more of us looking to move to Azure and less on-premise. Maybe PA version 11. :)
you'll also need to create a captive portal (aythentication) policy that is set to 'browser challenge'
it sends the browser a challenge, the browser will provide these (logged in user creds) if it trusts the firewall (needs to trust the certificate or via a pac file)
the browser or user is prompted when the configurable timeout occurs, so if ntlm works nicely you could have the browser re-queried every hour, if you need to resort to a webform, you could set the timeout to 4 hours or more, as not to bug users too much
you can have captive portal give the user a cookie, in case their IP changes that cookie can be presented instead of needing to authenticate
I wrote a bunch of stuff in this article: Getting Started: User-ID which you may find helpful
let me know if there's anything missing :)
I will re-itterate a Windows OS will not pass NTLM credentials to the firewall without modifiation to the client.
"WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a website is in a zone that allows credentials to be sent automatically.
Looks like the KB points out a Win7 registry setting.
Win10 is in this directory:
Internet control panel
on the right - open
Site to Zone Assignment List
Enable it and click SHOW
enter the IP address as the Value Name
the Value should be 1 for Intranet zone
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!